| Summary: | [RFE][horizon]: Implement RBAC support for volume | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | RHOS Integration <rhos-integ> | |
| Component: | python-django-horizon | Assignee: | RHOS Maint <rhos-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Ido Ovadia <iovadia> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | unspecified | CC: | aberezin, ajeain, aortega, dnavale, iovadia, jpichon, markmc, mrunge, yeylon | |
| Target Milestone: | Upstream M2 | Keywords: | FutureFeature, Triaged | |
| Target Release: | 5.0 (RHEL 7) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| URL: | https://blueprints.launchpad.net/horizon/+spec/block-rbac | |||
| Whiteboard: | upstream_milestone_icehouse-2 upstream_status_implemented upstream_definition_new | |||
| Fixed In Version: | Doc Type: | Enhancement | ||
| Doc Text: |
With this update, Role Based Access Control (RBAC) support has been added for Block Storage service. After copying the Block Storage policy.json file to /etc/openstack_dashboard/cinder_policy.json, some action such as Delete, etc. are displayed only when allowed by the policy.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1084296 (view as bug list) | Environment: | ||
| Last Closed: | 2014-07-08 15:43:03 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1084296 | |||
|
Description
RHOS Integration
2013-12-12 20:20:25 UTC
Moving to POST based on upstream status (Implemented). How to test: 1. Look at the policy file in /etc/openstack_dashboard/cinder_policy.json and amend it (e.g. only allow an action for admins then log in as a regular user). No need to restart httpd 2. Refresh the Project or Admin Volume page as appropriate and check that the new policy has taken effect, usually meaning the action button is not visible anymore Currently supported actions on the Horizon interface: Admin Volumes panel: * Create/Delete volume type (volume_extension:types_manage) Project Volumes panel: * Create volume (volume:create) * Edit attachment (compute:attach_volume and compute:detach_volume) * Create snapshot (volume:create_snapshot) * Detach volume (compute:detach_volume) Project Images and Snapshots panel: * Deleting a volume snapshot (volume:delete_snapshot) * Create a volume from a snapshot (volume:create) Note: Perhaps wait for this bug to be resolved first as policies are not correctly interpreted in some cases at the moment, cf. https://bugs.launchpad.net/horizon/+bug/1274053 1. Should it implement on M2 or M3. 2. After testing according the instructions, it seams doesn't work. Although the feature was implemented in M2, there is a related bug (linked to in comment 3) that was only fixed in M3. The feature won't work well without it. However the bug we're currently seeing in RDO M2 installed using Packstack is different: the cinder policy file isn't loaded at all. You can work around that by updating your local settings policy files to include the 'volume' attribute as below, or simply comment the dictionary out: POLICY_FILES = { 'identity': 'keystone_policy.json', 'compute': 'nova_policy.json', 'volume': 'cinder_policy.json' } (You'll still have to wait for LP 1274053 in the M3 packages before testing, though). I filed https://bugs.launchpad.net/puppet-horizon/+bug/1296636 upstream to get the puppet files updated in order to avoid similar problems in the future. Thanks! I can only test that after the workaround you suggested. Need more info: --------------- From Comment3: Admin Volumes panel: * Create/Delete volume type (volume_extension:types_manage) 1. I don't understand the logic, do we want to prevent the admin from creating a volume? Can you please give more information how it should work and how to test? Project Volumes panel: * Edit attachment (compute:attach_volume and computeetach_volume) * Detach volume (computeetach_volume) 2. How can I do that? I don't have these lines on /etc/openstack-dashboard/cinder_policy.json Should I add it, or edit nova_policy.json? Hi Ido, 1. volume_extension:types_manage is about creating and deleting "volume types". There's a section in the admin volumes panel, below the volume list, to manage volume types. At the moment, it's doesn't necessarily make a lot of sense to change the policy to prevent admins from managing the types unless for example volume types are not supported by your Cinder backend (since it is an extension), and you don't want it to be shown. In the future, we want to be able to display everything based on policy rather than role, so this will enable non-admins to manage volume types if they are allowed to by the policy, in a future release. 2. You're correct: although it also relates to volumes, attaching a volume to an instance is authorised or disabled according to the Nova (compute) policy file. I hope this helps. Verified: ======== python-django-horizon-2014.1-0.5.b3.el7.noarch openstack-dashboard-2014.1-0.5.b3.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0855.html |